anmolxlight opened a new pull request, #64749:
URL: https://github.com/apache/airflow/pull/64749
# fix: EksPodOperator 401 with cross-account AssumeRole via aws_conn_id
Fixes apache/airflow#64657
## Problem
When using `EksPodOperator` with `aws_conn_id` pointing to a cross-account
IAM role (via `AssumeRole`), pods fail with `401 Unauthorized`:
```
pods "simple-http-server" is forbidden: User "" cannot create resource
"pods" in API group "" in the namespace "default"
```
The audit log shows an empty user identity: `"user":{}`.
## Root Cause
The kubeconfig exec plugin `COMMAND` template in `EksHook` had two critical
fragility points:
1. **stderr merged into stdout** via `2>&1` — Python warnings, deprecation
notices, or log output from `eks_get_token` contaminated the stdout that bash
token parsing relies on. This caused the `last_line` extraction to grab the
wrong line, producing empty/invalid timestamp and token values.
2. **No token validation** — If parsing failed, a malformed `ExecCredential`
JSON with an empty token was sent to the EKS API server, resulting in 401 with
an empty user identity.
Same-account usage worked by accident because default MWAA execution role
credentials were already in the environment, so `eks_get_token` produced valid
output regardless of credential file sourcing.
## Changes
### `airflow/providers/amazon/aws/hooks/eks.py`
- Redirect stderr to `/dev/null` (`2>/dev/null`) instead of merging with
stdout (`2>&1`) to ensure clean token output for bash parsing
- Add token validation: exit with error if token extraction fails
- Add error messages to stderr for debugging credential issues
### `tests/unit/amazon/aws/hooks/test_eks.py`
- Add `test_command_template_redirects_stderr`: verifies stderr is
redirected to `/dev/null` and not merged with stdout
- Add `test_command_template_validates_token`: verifies the token validation
check and error exit
## Testing
```bash
# Verify the COMMAND template structure
python -c "
import sys
sys.path.insert(0, 'providers/amazon/src')
from airflow.providers.amazon.aws.hooks.eks import COMMAND
assert '2>/dev/null' in COMMAND
assert '2>&1' not in COMMAND
assert 'if [ -z \"\$token\" ]' in COMMAND
assert 'exit 1' in COMMAND
print('All checks passed')
"
```
## Verification
To verify the fix works with cross-account AssumeRole:
1. Set up two AWS accounts: Account A (MWAA) and Account B (EKS)
2. Create an IAM role in Account B that trusts Account A's execution role
3. Create a connection in MWAA using Account B's role ARN
4. Run an `EksPodOperator` task with `aws_conn_id` set to the cross-account
connection
5. Verify the pod is created successfully without 401 errors
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
